The NIS2 Directive is new European Union legislation aimed at strengthening cybersecurity in various sectors, including operators of essential services and digital service providers. From October 2024, companies covered by the NIS2 Directive will have to meet certain minimum cybersecurity requirements. This means that companies must assess their current level of security and develop a plan to comply with the Directive. It is important to work with relevant stakeholders, regulators and supply chain partners to ensure everyone is aware of the requirements. Read more about the impact of the directives and requirements in this article.
Cybersecurity is one of the most pressing issues of our time. Digital technologies have a huge impact on our daily lives, from finance to health, transportation to energy. We rely heavily on them, and their importance will only grow in the future. Unfortunately, cyber-attacks are also on the rise. Governments, hospitals, schools, and other public institutions are often targeted by cybercriminals. And as the number of devices connected to the Internet grows, so does the risk.
To address this threat, the European Union adopted the NIS2 Directive. This directive will come into force on January 16, 2023, and goes far beyond the Network and Information Security (NIS) regulations that have been in place since 2016. In the future, many additional sectors and entities will be considered "critical" or "important" to the economy and society, including public institutions. In addition, companies with more than 50 employees and an annual turnover of more than €10 million will also be covered by the regulations if they are critical.
From October 2024 - when the Directive must be fully transposed into national law - all "critical entities" will have to meet certain minimum cybersecurity requirements for their systems. These include approaches to risk analysis, IT security and access control, as well as measures to counter security incidents and ensure business continuity, including documentation and reporting requirements. The most significant change is the ability to impose sanctions. In the event of non-compliance, responsible parties can be held personally liable. Fines of up to 10 million euros or 2 percent of global annual turnover are possible.
It is clear that the EU is making cybersecurity a top priority. After all, digital infrastructure is critical to the economy and society. Secure, reliable information systems are a key factor for the EU's strategic independence and for strengthening Europe's sovereignty by creating a secure digital base.
But what does this mean for businesses and public institutions? And what does it mean when doing business with suppliers or supply chain partners with critical activities?
NIS2 focuses on the entire business chain. That includes companies that don't have critical activities themselves, but do business with organizations that do. So you will need to determine if chain partners might fall into this category. Do you supply software to parties like KPN or PostNL? Do you do business with a freight forwarder that also ships medical equipment? Do you supply hardware to a small utility company? In all of these cases, you must comply with NIS2.
It is therefore important to look at the cybersecurity of your supply chain as a whole. This means not only looking at the cybersecurity of your own company, but also at the cybersecurity of your supply chain partners, or suppliers, manufacturers, logistics providers, retailers and distributors.
By the way, the NIS2 is not based on where you are located, but where you do business. So if your company provides services that fall under essential activities anywhere in the European Union, you must comply with the Directive. Even if you do business with a non-European party that performs essential activities in the European Union!
To comply with the NIS Directive, you must be familiar with its specific requirements and understand how they apply to your organization. It is important to assess your organization's current level of security and identify areas for improvement. Take a look at the National Cyber Security Center's (NCSC) Cybersecurity Measures Guide, which will certainly help you get the basics right.
Then develop a compliance plan, which may require you to implement new security measures, update existing measures, or create new policies and procedures. Consult with relevant stakeholders, regulators and supply chain partners to ensure they are aware of the requirements of the NIS2 Directive.
Finally, it is important to regularly monitor and evaluate your compliance efforts to determine where additional efforts are needed. Remember, NIS2 compliance is an ongoing process and it is important to stay current and continually improve your security measures.
Looking for a complete to-do list and guidelines? Check out the website of Samen Digitaal Veilig, an initiative of MKB-Nederland.
Published by RiskStudio